a word from the wyze —

Employee error to blame for massive data leak, Wyze says

Yet another cloud-based service left a big pile of data sitting around unlocked.

Wyze Web-connected personal surveillance camera, August 2019.
Enlarge / Wyze Web-connected personal surveillance camera, August 2019.

Loads of folks found brand-new Wyze surveillance cameras under their trees or in their stockings this Christmas. And on Boxing Day, the company itself unwrapped a whole new world of trouble for everyone who uses its products, confirming a data leak that may have exposed personal data for millions of users over the course of a few weeks.

Wyze first found out about the problem on the morning of December 26, company cofounder Dongsheng Song said in a corporate blog post. The company's investigation confirmed that user data was "not properly secured" and was exposed from December 4 onward.

The database in question was basically a copy of the production database that Wyze created to work with, Song explained. Data points left exposed include user email addresses, camera nicknames, Wi-Fi network information, Wyze device information, some tokens associated with Alexa integrations, and "body metrics for a small number of product beta testers."

The company blames an employee for the exposure. "A mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed," Song wrote. "We are still looking into this event to figure out why and how this happened."

A pair of essays from a mysterious (and possibly fake) firm called 12Security first brought the leak to light. The firm alleges that data for 2.4 million Wyze users was included in the leak, claiming that the data was sent to the Alibaba cloud and that the breach is tied to China.

Seattle-based Wyze, however, has extremely strong ties to Amazon and strongly denies the allegation that it uses the Alibaba Cloud. "Wyze does have official Wyze employees and manufacturing partners in China, but Wyze does not share user data with any government agencies in China or any other country," the company said.

Channel Ars Technica